Time is Your Foe and Automation is Your Friend during DDoS Attacks

During a DDoS attack, time can be your biggest enemy. Lost seconds can have a huge impact on whether you are successful in mitigating an attack in time, or failure could mean costly network downtime. Anything that accelerates your Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to an attack provides you with a clear advantage.

This issue has been amplified due to today’s cloud and enterprise environments, where the combination of greater dependence on internet connectivity and a wider range of security threats can overwhelm network and security operations teams. They are under increasing pressure to make critical, on-the-fly judgements about which threats are real and which mitigation measures to deploy, all while the clock is ticking.

Automation, therefore becomes a high priority in the selection of your DDoS defences. An intelligent solution can buy you precious time by detecting attacks early and automatically deploying the appropriate countermeasures. But automation must fundamentally block attacks while not blocking legitimate traffic and it must inform the operator what was blocked and why. In other words, to be effective it must lead users to the right answer, provide context and supporting analytics and, most importantly, be human-guided – not ‘black box’.

Intelligent DDoS mitigation automation works in three ways:

1. Built-in Countermeasures

It is essential to have a variety of in-built automated countermeasures, each designed to detect and automatically engage on specific types of attacks based on the intelligence you have about the current attack landscape. When an Automation Protection System (APS) detects an attack, such as a TCP Syn flood, blacklisted hosts or multiple connection attempts from a single host, it will automatically enable/disable the right countermeasures to mitigate those attack types and provide detailed analytics and reporting on the events.

If an attack happens to be in progress when the APS is initially deployed, its countermeasures can still activate immediately because it doesn’t require learning times and baselining. Although these built-in countermeasures are designed to work effectively right out of the box, many can also be custom-configured to trigger based on user security policies and risk thresholds.2. Threat Intelligence Feed

Without an intelligence feed providing you with real-time visibility into threat activity across the internet worldwide, you are not able to act on the threats that could affect your organisation. More than simply collecting and analysing data, you need to curate and operationalise this threat intelligence into threat policies and countermeasures. Your APS needs to detect suspicious traffic flows that match your active threat policies, so it can automatically block the traffic and indicate what it blocked and why in real-time reports.

Security experts are increasingly recommending a layered or hybrid DDoS strategy combining on-premise and cloud-based mitigation capabilities for maximum effectiveness. This gives organisations a scalable defence solution that can adapt to different types and sizes of attacks: the on-premise device can immediately detect and mitigate the majority of smaller-scale, ‘low and slow’ attacks that typically target firewalls, IPS systems and network perimeter devices, whereas larger-scale volumetric attacks are best mitigated at the service provider level in the cloud. However, thwarting these multi-layer attacks requires the two defensive components to work in synchronisation.

Cloud Signalling is the mechanism by which the on-premises component, the APS communicates in real-time with the service provider’s cloud defences to synchronise this mitigation action. If an attack volume at the premise level escalates to a user-specified threshold, Cloud Signalling can automatically trigger the cloud mitigation countermeasures and share attack data such as blocked IP addresses. Security operators can also initiate Cloud Signalling manually when they see a growing threat. Network and security teams need to use a hybrid approach to give them enough flexibility to configure and fine-tune their Cloud Signalling policies.

Latest Videos

​Email fraud is nothing new, but online criminals have become ever more-effective at spoofing their identities to trick employees into sending them money. The Australian Centre for Cyber Security (ACSC) recorded losses of over $20M to business email compromise (BEC) attacks last year alone, up 230 percent over the previous year – and the full amount is certain to be much larger.​

No matter how robust your security, or how diligent your employees, network credentials are a free pass for cybercriminals. This is mostly because employees are relied upon for their own password management. And with more than 4.8 billion sets of stolen credentials said to be available online, odds are that at least a few of your employees’ user IDs and passwords are just waiting to be used by unscrupulous outsiders. Are you ready to stop them?

Cyber resilience will be particularly important as Australian organisations face increased pressure to quickly detect, respond to, and manage the repercussions of breaches in the wake of 2018’s Notifiable Data Breaches (NDB) scheme.

Copyright 2018 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.